Evil Corp cybercriminal gang members sanctioned in major move by UK crime agency


More than a dozen members of the Evil Corp cybercriminal group have been slapped with financial sanctions led by the UK’s National Crime Agency. The announcement coincides with a fresh intelligence profile about the Russian-backed organization.

Tuesday’s sanctions by the NCA target sixteen members of the organized criminal syndicate, with the US and Australia issuing another eight sanctions in total against the group, which include asset freezes and travel bans.

It’s all in coordination with the NCA’s release of a detailed dossier depicting the historic ins and outs of what many security insiders consider to be one of the ‘OG ransomware gangs’ operating with full support from the Russian government.

ADVERTISEMENT

UK’s Foreign Secretary David Lammy said it was his “personal mission to target the Kremlin with the full arsenal of sanctions at our disposal.”

"Putin has built a corrupt mafia state with himself at its center. We must combat this at every turn, and today’s action is just the beginning,” Lammy said, adding that Tuesday’s sanctions “send a clear message to the Kremlin that we will not tolerate Russian cyberattacks - whether from the state itself or from its cybercriminal ecosystem."

UK sanctions 16 Evil Corp members 2
Evil Corp members are sanctioned by the UK, US, and Australia. Evil Corp family members pictured left to right; Dmitriy Slobodskoy, Cousin; Maksim Yakubets, Leader; Artem Yakubets, Brother; Kirill Slobodskoy, Cousin. Image by UK National Crime Agency.

The eight-page report, titled “Evil Corp: Behind the Screens,” illustrates a timeline of the group’s activities from its initial inception by head Maksim Yakubets as the Jabber Zeus Crew in 2007 to its official designation as Evil Corp in 2014 and its nefarious criminal endeavors in 2024.

The NCA described Evil Corp’s trajectory from a family-centered financial crime group in Moscow to a booming cybercrime outfit responsible for extorting at least $300 million from victims worldwide in healthcare, critical national infrastructure, and government, among other sectors.

“Maksim took this family business into the 21st century, bringing his father (Viktor Yakubets), brother (Artem), and cousins (Kirill and Dmitry Slobodskoy) along with him,” branching out from the family’s money laundering ties into a prolific cybercrime organzation, the NCA report said.

Yakubets has evaded capture by Western authorities since he was indicted and sanctioned in 2019 by the US government, along with a $5 million bounty issued for information leading to his arrest.

Now, all four relatives and Evil Corp members have been sanctioned, including one of the group’s administrators, Igor Turashev, and Maksim Yakubets' father-in-law, Eduard Benderskiy, a former high-ranking FSB official.

ADVERTISEMENT

Russian safety net is wide

Since the Lamborghini-driving ringleader made the FBI's most wanted list in 2019, Yakubets has kept himself hidden within Russia’s borders while enjoying a lavish lifestyle under the protection of all three major Russian intelligence agencies.

"He's roaming free in Russia, and he's not in prison, and Russia is taking no steps to arrest him," Irina Tsukerman, a geopolitical analyst specializing in cybersecurity, told Cybernews in 2022.

The NCA portrays Evil Corp as having gone “far beyond the typical state-criminal relationship of protection, payoffs and racketeering” with Moscow.

It had also been discovered that before 2019, Evil Corp was actually tasked by Russian Intelligence Services to conduct cyberattacks and espionage operations against NATO allies.

Evil Corp Timeline
Image by UK National Crime Agency.

Known for developing variants such as Dridex and GameOver Zeus, an Evil Corp profile by Mandiant threat researchers in 2019 linked the group to numerous other ransomware variants, including BitPaymer, Dopplepaymer, Wasttedlocker, and Hades.PheonixLocker, and Hades.PayLoadBin.

After its inner workings and ransomware variants were exposed by Mandiant and others, the cartel seemingly took steps to change up its ransomware toolkit and was even suspected of changing its name to distance itself from negative publicity, including the possible rebranding to the ransomware group named UNC2165.

ADVERTISEMENT

In 2023, some of its members, operating under the DoppelPaymer ransomware moniker, were busted up and their servers seized by German and Ukrainian authorities.

Evil Corp and LockBit connection

The NCA’s bold move follows further announcements on Tuesday about the arrest of four LockBit ransomware gang actors in conjunction with Europol, the FBI, and at least a dozen other EU nations, including the UK agency.

The LockBit arrest reveal also included news of an unsealed indictment by the US Department of Justice against high-ranking Evil Corp member Aleksandr Ryzhenkov, aka “Beverley,” apparently moonlighting as an affiliate for the LockBit group in his spare time.

Labeled by the NCA as "a prolific affiliate of LockBit and strongly linked to Evil Corp,” Ryzhenkov is said to be the right-hand man for Evil Corp’s leader Maksim Yakubets.

"The action announced today has taken place in conjunction with extensive and complex investigations by the NCA into two of the most harmful cybercrime groups of all time, said James Babbage, Director General for Threats at the NCA.

"These sanctions expose further members of Evil Corp, including one who was a LockBit affiliate, and those who were critical to enabling their activity, he added.

UK sanctions 16 Evil Corp members
Evil Corp members are sanctioned by the UK, US, and Australia. Members pictured left to right; Denis Gusev, Aleksandr Ryzhenkov, Sergey Ryzhenkov, Artem Yakubets, Kirill_Slobodskoy, Dmitriy Slobodskoy, Beyat Ramazanov. Image by UK National Crime Agency.

You can read more about Tuesday’s LockBit arrests, servers seized, and unsealed indictments in Cybernews’ coverage of the third phase of Operation Cronos – an ongoing international effort to dismantle the infamous ransomware group, which was launched in February.

Ryzhenkov is said to have personally been involved in carrying out at least 60 LockBit attacks in the US using BitPaymer, one of Evil Corp’s signature ransomware variants, and collecting over $100 million from victims.

ADVERTISEMENT

"Today's charges against Ryzhenkov detail how he and his conspirators stole the sensitive data of innocent Americans and then demanded ransom," said US Deputy Attorney General Lisa Monaco.

"With law enforcement partners here and around the world, we will continue to put victims first and show these criminals that, in the end, they will be the ones paying for their crimes," Monaco said.